Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2007 > Multiple Mandriva Security Advisories

March 2007

Multiple Mandriva Security Advisories

ID: 94
Ref: 036/2007
Date: 16 March 2007:14:25:40
Version: 1
Title: Multiple Mandriva Security Advisories
Abstract: Details of security advisories concerning gnupg, kernel, timezone, nufw, mplayer, xine-lib
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
_______________________________________________________________________

Package : gnupg
Date : March 8, 2007
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

GnuPG prior to 1.4.7 and GPGME prior to 1.1.4, when run from the command line, did not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components. This could allow a remote attacker to forge the contents of an email message without detection.

GnuPG 1.4.7 is being provided with this update and GPGME has been patched on Mandriva 2007.0 to provide better visual notification on these types of forgeries.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1263
http://www.mandriva.com/security/advisories?name=MDKSA-2007:059
_______________________________________________________________________

Package : kernel
Date : March 9, 2007
Affected: 2006.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel

References:
http://www.mandriva.com/security/advisories?name=MDKSA-2007:060
_______________________________________________________________________

Package : timezone
Date : March 9, 2007
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time
information for 2007 for certain time zones. These updated packages contain the new information.

References:
http://www.mandriva.com/security/advisories?name=MDKA-2007:018-1
_______________________________________________________________________

Package : nufw
Date : March 15, 2007
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

A number of bugs have been fixed in the nufw package including:

- problems with case-insensitive authentication directory
- simultaneous run problems in pam_nufw
- nuauth would crash at start when bad IPs are placed in the
configuration file
- memory leaks in nuauth
- other minor fixes

The updated packages provide version 2.0.16 which have these issues fixed.

References:
http://www.mandriva.com/security/advisories?name=MDKA-2007:019
_______________________________________________________________________

Package : mplayer
Date : March 13, 2007
Affected: 2007.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

The DS_VideoDecoder_Open function in loader/dshow/DS_VideoDecoder.c in MPlayer 1.0rc1 and earlier does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code.

Updated packages have been patched to address this issue.
_______________________________________________________________________

References:
http://www.mandriva.com/security/advisories?name=MDKSA-2007:061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1387

_______________________________________________________________________

Package : xine-lib
Date : March 13, 2007
Affected: 2007.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

The DS_VideoDecoder_Open function in DirectShow/DS_VideoDecoder.c in xine-lib does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code.

Updated packages have been patched to address this issue.
_______________________________________________________________________

References:
http://www.mandriva.com/security/advisories?name=MDKSA-2007:062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1387
_______________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Mandriva for the information contained in this advisory.
______________________________________________________________________________

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |